Centers for Disease Control and Prevention
 CDC Home Search Health Topics A-Z

Centers for Disease Control and Prevention
About CDC Announcements Funding Opportunities Publications Contact Us

U.S. Department of Health and Human Services

 

· Privacy Rule Home
· Guidance for Public Health
· HIPAA Basic Facts
· FAQs              
· Privacy Rule Reading Room
· Privacy Rule Links
· Public Health Grand Rounds: HIPAA Privacy Rule
  

 

HIPAA Basic Facts

 

 

What is HIPAA?

 

 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) consists of two Titles.  Title I protects health insurance coverage for workers and their families when they change or lose their jobs.  Title II requires the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and addresses the security and privacy of health information.  HIPAA was first proposed with the simple objective to ensure health insurance coverage after leaving a job.  In addition to these portability provisions, however, Congress added an Administrative Simplification section, with the goal of saving money in mind.  The Administrative Simplification section was requested and supported by the health care industry because it standardized electronic transactions and required standard record formats, code sets, and identifiers.

 

Following this standardization effort, Congress recognized the need to enhance the security and privacy of individually identifiable health information in all forms.  In 1999, Congress directed the Department of Health and Human Services (DHHS) to develop privacy and security requirements in accordance with HIPAA's Title II.

 

What is the Privacy Rule?

 

The Privacy Rule is a federal regulation defining administrative steps, policies, and procedures to safeguard individuals' personal, private health information (protected health information or PHI).

 

The Privacy Rule is designed to empower patients by guaranteeing them access to their medical records, giving them more control over how their PHI is used and disclosed, and providing a clear avenue of recourse if their medical privacy is compromised. The rule is designed to protect medical records and other personal health information maintained by certain health care providers, hospitals, health plans, health insurers and health care clearinghouses.

 

When does the Privacy Rule become effective?

 

President Bush approved the regulations on April 12, 2001.  The official effective date of the regulations is April 14, 2001.  Covered entities, including hospitals and physicians, have two (2) years to comply (by April 14, 2003), except for small health plans which have until April 14, 2004 to comply.

 

Who must comply with the Privacy Rule?

 

The following types of health care organizations are defined as “covered entities” by the Privacy Rule:

 

·        All health care providers who choose to transmit certain administrative and financial health information electronically.

·        All health plans.

·        All health care clearinghouses

 

Covered entities may disclose health information to persons or organizations they hire to perform functions on their behalf (e.g. legal or accounting services).  These "business associates" would not be permitted, under contractual obligation with the covered entity, to use or disclose protected health information in ways that would not be permitted of the covered entity itself.

 

What information is protected?

 

The rule defines “protected health information” as health information that

 

1.                  identifies an individual and

2.                  is maintained or exchanged electronically or in hard copy.

 

If the information has any components that could be used to identify a person, it would be protected.  The protection would stay with the information as long as the information is in the hands of a covered entity or a business associate. The protections apply to individually identifiable information in any form, electronic or non-electronic.  The paper progeny of electronic information is covered (i.e. the information would not lose its protections simply because it is printed out of a computer), and oral communications are also covered.

 

Will the Privacy Rule preempt state law?

 

Possibly.  Pursuant to the HIPAA law, this rule will preempt state laws that are in conflict with the regulatory requirements with exceptions for certain public health functions and related activities.  Stronger state laws (e.g. those covering mental health, HIV infection, and AIDS information) continue to apply. These confidentiality protections are cumulative; the final rule will set a national “floor” of privacy standards that protect all Americans.  However, certain states have more restrictive privacy provisions and these more restrictive provisions will continue to apply providing their citizens with additional protections. 

 

Are all state laws subject to Privacy Rule preemption?

 

No.  HIPAA also carves out certain areas of state authority that are not limited or invalidated by the provisions of HIPAA: these areas relate to public health and state regulation of health plans.  In terms of public health for example, Section 160.203(c) of the regulation states that State law is not preempted if, “The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.”

 

 
 

 


Accessibility | Privacy Policy Notice | FOIA | Information Quality

About CDC | Announcements | Funding Opportunities | Publications | Contact Us

CDC Home | Search | Health Topics A-Z

This page last reviewed April 18, 2003.

United States Department of Health and Human Services
Centers for Disease Control and Prevention